Our friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a cross-site URL trick, letting you substitute your own images for the ones normally displayed on the page. Since the site is intended to let websites display a custom top banner, this was ‘as designed’ — at least until jokesters began taking advantage.
The trick works (or at least, it did) by taking the default URL from the web browser and replacing a few things like the artist name, album name, album thumbnail source and the image link.
The Internet moves pretty fast, though. As I was typing this, Apple removed the top banner altogether, preventing the customized image display. No more pranks for us.
In any case, OS X Daily pointed out that the image issue could allow malicious folks to redirect would-be Apple visitors to malware sites or other bad destinations. Even an innocent image viewer that appears within an iframe on a branded page can cause problems; that’s what the folks at Wired found out last January, when someone took advantage of their image tool to post a hoax “Steve Jobs had a heart attack” news story.
Props to Apple’s web development team, though, for taking this down within the ten minutes it took me to finish the post.
TUAWApple’s iTunes Affiliates site briefly subjected to image swaps originally appeared on The Unofficial Apple Weblog (TUAW) on Tue, 03 Nov 2009 20:00:00 EST. Please see our terms for use of feeds.